Functional Safety Manual For Safety Related Systems and SIL 2, SIL 3 Applications According IEC 61508 & IEC 61511 Standards

D1000 Series Manual for Safety Related System SIL applications
Functional Safety Manual

for Safety Related Systems
and SIL 2, SIL 3 Applications
according IEC 61508 & IEC 61511 Standards
G.M. International D1000 Series
Intrinsically Safe Interface Modules and
Switching Power Supply PSD1206, PSD1210
Table of Contents
1
2
3
General .................................................................................................................................................................. 3
Functional Safety Specifications from EXIDA and TV analysis, report according IEC 61508 - IEC 61511 5
Definitions............................................................................................................................................................. 8
3.1 Failure categories ........................................................................................................................................ 8
3.1.1 Failure categories for PSD1206 and PSD1210 ............................................................................ 10
3.2 General Terms ........................................................................................................................................... 11
4
Assumptions ...................................................................................................................................................... 12
4.1 Assumption for PSD1206 and PSD1210 ................................................................................................... 13
5
Summary of Data from EXIDA and TV analysis ............................................................................................ 14
5.1 D1010S-054 Isolating -5 +55 mV to 4 20 mA Converter ...................................................................... 14
5.4 D1020S and D1020D Powered Isolating Drivers for I/P, Hart Compatible ................................................. 17
5.5 D1021S Powered Isolating Driver for I/P, with Fault Detection and Hart Compatible ................................ 18
5.6 D1032D Isolating Switch-Proximity Detector Repeater, Relay Output ....................................................... 19
5.7 D1032Q Isolating Switch-Proximity Detector Repeater, Relay Output ....................................................... 20
5.8 D1033D Isolating Switch-Proximity Detector Repeater, Transistor output ................................................. 21
5.9 D1033Q Isolating Switch-Proximity Detector Repeater, Transistor output ................................................. 22
5.10 D1034S and D1034D Isolating Switch-Proximity Detector Interfaces, mA output...................................... 23
5.11 D1040Q, D1042Q, D1043Q, PSD1001(C) Bus Powered Isolating Drivers for NE loads ........................... 24
5.12 D1040Q, D1042Q, D1043Q, PSD1001(C) Loop Powered Isolating Drivers for NE loads ......................... 24
5.13 D1044S Bus Powered Digital Relay Output for NE or ND loads ................................................................ 25
5.14 D1044S Loop Powered Digital Relay Output for NE or ND loads .............................................................. 26
5.15 D1044D Bus Powered (independent channels) Digital Relay Output for NE or ND loads ......................... 27
5.16 D1044D Bus Powered (1oo2 channel architecture) Digital Relay Output for NE or ND loads ................... 28
5.17 D1044D Loop Powered (1oo2 channel architecture) Digital Relay Output for NE or ND loads ................. 29
5.18 D1053S Isolating Analog Signals Converter and Trip Amplifiers (using analog output)............................. 30
5.19 D1053S Isolating Analog Signals Converter and Trip Amplifiers (using 2 relay outputs in series) ............ 31
5.20 PSD1206 and PSD1210 Isolated Switching Power Supplies for NE loads, single unit .............................. 32
5.21 PSD1206 and PSD1210 Isolated Switching Power Supplies for ND loads, single unit.............................. 33
5.22 PSD1206 and PSD1210 Isolated Switching Power Supplies, 2 units in parallel ........................................ 34
5.22.1 NE loads ...................................................................................................................................... 34
5.22.2 ND loads ...................................................................................................................................... 35
ISM0071-13 D1000 Series Manual for Safety Related System SIL applications
Page 1 of 46
6
7
8
9
5.23 PSD1206 and PSD1210 Isolated Switching Power Supplies, 3 units in parallel ........................................ 35
5.23.1 NE loads ...................................................................................................................................... 35
5.23.2 ND loads ...................................................................................................................................... 35
5.24 PSD1206 and PSD1210 Isolated Switching Power Supplies, fail with over voltage condition ................... 36
Notes ................................................................................................................................................................... 37
Possible Proof Tests to reveal Dangerous Undetected Failures ................................................................... 38
7.1 D1010S-054, D1010S-056, D1010S-057 ................................................................................................... 38
7.2 D1020, D1021S.......................................................................................................................................... 38
7.3 D1032, D1033 ............................................................................................................................................ 39
7.4 D1034 ........................................................................................................................................................ 39
7.5 D1040, D1042, D1043, PSD1001, PSD1001C .......................................................................................... 39
7.6 D1044 ........................................................................................................................................................ 40
7.7 D1053S (using analog output) ................................................................................................................... 40
7.8 D1053S (using 2 relay outputs in series) ................................................................................................... 41
7.9 PSD1206, PSD1210 .................................................................................................................................. 42
7.9.1 Test Setup .................................................................................................................................... 42
7.9.2 Test of single Power Supply or individual unit of N unit in parallel............................................. 42
7.9.3 Tests required when the unit is used as subsystem of N units in parallel .................................. 43
Impact of Lifetime of Critical Components on Failure Rate ........................................................................... 46
Influence of PFDavg calculation on efficiency of Proof Test for a 1oo1 architecture.................................. 46
Page 2 of 46
General
This Safety Manual summarizes the results of hardware assessment carried out on the following Intrinsically Safe
modules:
Repeater Driver Interface D1010S-054 (or -056 or -057), D1020, D1021S, D1032, D1033, D1034,
D1040, D1042, D1043; Analog Signals Converter and Trip Amplifier D1053S;Relay Output module D1044, Power
Supply PSD1001(C), PSD1206, PSD1210.
Table 1: Model Output channels Safety Function Table
Model
Output Component
Safety Function
channels
type
D1010S-054
Isolating -5 +55 mV to 4 20 mA Converter
D1010S-056
D1010S-057
D1020S
Powered Isolating Valve Driver, HART compatible
D1020D
Powered Isolating Valve Driver, HART compatible
D1021S
Powered Isolating Valve Driver with Fault Detection, HART compatible
D1032D
Isolating Switch-Proximity Detector Repeater, Relay output
D1032Q
Isolating Switch-Proximity Detector Repeater, Relay output
D1033D
Isolating Switch-Proximity Detector Repeater, O.C. Transistor output
D1033Q
Isolating Switch-Proximity Detector Repeater, O.C. Transistor output
D1034S
Isolating Switch-Proximity Detector Interface, mA output
D1034D
Isolating Switch-Proximity Detector Interface, mA output
D1040Q
Loop / Bus Powered Isolating Driver for NE loads, 22mA at 13.2V (per ch.)
D1042Q
D1043Q
D1044S
Loop / Bus Powered Digital Relay Output for NE or ND loads
D1044D
Loop / Bus Powered Digital Relay Output for NE or ND loads
D1053S
Isolating Analog Signals Converter and Trip Amplifiers
PSD1001
Isolating Power Supply 20 mA at 15 V (per channel)
PSD1001C
Isolating Power Supply 100 mA at 13.5 V
PSD1206
Isolated Switching Power Supply 6 A at 24 Vdc
PSD1210
Isolated Switching Power Supply 10 A at 24 Vdc
Page 3 of 46
The failure rates used in this analysis are the basic failure rates from the Siemens standard SN 29500.
The failure modes distributions used in this analysis are considered according to RAC FMD-91/97.
According the table 2 of IEC 61508-1, the average PFD for systems operating in low demand mode has to be from
1.00 E-03 to < 1.00 E-02 for SIL 2 safety functions. However, as the modules under consideration are only one part
of an entire safety function they should not claim more than 10% 20% of this range. For SIL 2 application the total
PFDavg value of the SIF must be smaller than 1.00 E-02, hence the maximum allowable PFDavg value for the asset
modules would then be 1.00 E-03 (for 10% contribution) and 2.00 E-03 (for 20% contribution). A similar consideration
can be done for SIL 3 application, where limits are ten times smaller than correspondent limits in SIL 2 application.
The listed modules are considered to be Type A (*) or Type B (**) components, with a hardware fault tolerance of 0.
According to table 2 of IEC 61508-2, for Type A components the SFF has to be:
less than 60% for SIL 1 (sub-) systems with a hardware fault tolerance of 0;
equal or more than 60% for SIL 2 (sub-) systems with a hardware fault tolerance of 0;
less than 60% for SIL 2 (sub-) systems with a hardware fault tolerance of 1;
equal or more than 60% for SIL 3 (sub-) systems with a hardware fault tolerance of 1.
According to table 3 of IEC 61508-2, for Type B components the SFF has to be:
equal or more than 90% for SIL 3 (sub-) systems with a hardware fault tolerance of 1.
If the requirements of section 11.4.4 of IEC 61511-1 First Edition 2003-01 are fulfilled, a hardware fault tolerance of 0
is sufficient for SIL 2 (sub-) systems with Type B components and having a SFF equal or more than between 60%.
Assuming that a logic solver (connected to D1000 module outputs) can detect both over-range (fail high) and
under-range (fail-low), high and low failures can be classified as safe detected failures or dangerous detected
failures depending on the application.
At section 5, its showed the summary of functional safety data for each module, according to the following documents:
TV Analysis: Compliance Certificate C - IS - 183645 xx and C - IS - 204194 - xx;
EXIDA Analysis Reports.
(*) Type A component: Non-complex component with all failure modes well defined (for details see 7.4.3.1.2 of
IEC 61508-2).
(**) Type B component: Complex component, using micro controller (for details see 7.4.3.1.3 of IEC 61508-2).
Page 4 of 46
Functional Safety Specifications from EXIDA and TV analysis,

report according IEC 61508 - IEC 61511
Table 2: Functional Safety Specifications

T Proof Test
(Years)
for defined
SIL value
(20% of total
safety func.)
D1010S-054
1 Ch.
mV / mA Signal
Converter
90.1% 1.58 E-04
TI = 5 SIL 2
TI = 1 SIL 3
TI = 10 SIL 2
D1010S-056
1 Ch.
mV / mA Signal
Converter
90.1% 1.58 E-04
TI = 5 SIL 2
TI = 1 SIL 3
TI = 10 SIL 2
D1010S-057
1 Ch.
mV / mA Signal
Converter
90.1% 1.58 E-04
TI = 5 SIL 2
TI = 1 SIL 3
TI = 10 SIL 2
D1020S
1 Ch.
Powered Isolating
Valve Driver
82.1% 3.08 E-04
TI = 3 SIL 2
TI = 6
D1020D
2 Ch.
Powered Isolating
Valve Driver
82.1% 3.08 E-04
TI = 3 SIL 2
D1021S
1 Ch.
Powered Isolating
70.7% 5.18 E-04
Valve Driver (F.D.)
SFF
Fail-Safe
Output
State
Safety Function
EXIDA or TV
analysis
Model
Number
Hardware Fault
Tolerance
PFDavg
per year
T Proof Test
(Years)
for defined
SIL value
(10% of total
safety func.)
SU
(FIT)
DD
(FIT)
DU MTBF
(FIT) (years)
TV
<4 mA
>20 mA
197
131
36.2
308
TV
<4 mA
>20 mA
197
131
36.0
308
TV
<4 mA
>20 mA
197
131
36.2
308
SIL 2
TV
<4 mA
323
70.3
282
TI = 6
SIL 2
0-1
TV
<4 mA
323
70.3
282
TI = 1 SIL 2
TI = 3
SIL 2
Exida
<4 mA
285
118
216
D1032D
2 Ch.
Switch-Proximity
Detector Repeat
Relay output
81.3% 2.65 E-04
TI = 3 SIL 2
TI = 7
SIL 2
TV
deenergized
264
60.5
232
D1032Q
4 Ch.
Switch-Proximity
Detector Repeat
Relay output
82.2% 2.65 E-04
TI = 3 SIL 2
TI = 7
SIL 2
TV
deenergized
280
60.4
173
D1033D
2 Ch.
Switch-Proximity
Detector Repeat 85.8% 1.63 E-04
O.C. Trans. output
TI = 5 SIL 2
TI = 10 SIL 2
TV
deenergized
224
37.2
243
D1033Q
4 Ch.
Switch-Proximity
Detector Repeat 86.6% 1.63 E-04
O.C. Trans. output
TI = 5 SIL 2
TI = 10 SIL 2
TV
deenergized
240
37.1
179
D1034S
1 Ch.
Switch-Proximity
Detector Interface
mA output
93.2% 8.41 E-05
TI = 1 SIL 3
TI = 10 SIL 2
TI = 2 SIL 3
TI = 10 SIL 2
TV
<1.2 mA
>7 mA
147
118
19.2
396
D1034D
2 Ch.
Switch-Proximity
Detector Interface
mA output
93.2% 8.41 E-05
TI = 1 SIL 3
TI = 10 SIL 2
TI = 2 SIL 3
TI = 10 SIL 2
0-1
TV
<1.2 mA
>7 mA
147
118
19.2
396
D1040Q
D1042Q
D1043Q
PSD1001(C)
4 Ch. Bus
Powered
Isolating Solenoid
Valve Driver
for NE loads
80.1% 3.64 E-04
TI = 2 SIL 2
TI = 5 SIL 2
Exida energized
de-
334
83.0
248
D1040Q
D1042Q
D1043Q
PSD1001(C)
4 Ch. Loop
Powered
Isolating Solenoid
Valve Driver
for NE loads
100%
Lifetime = 10
SIL 3
Lifetime = 10
SIL 3
Exida energized
de-
418
248
relay deenergized
with NO
contact
(for NE
load) or
with NC
contact
(for ND
load)
232
38.0
420
D1044S
1 Ch. Bus
Powered,
NE or ND
loads
Digital Relay
Output
0.00 E-00
85.9% 1.66 E-04
TI = 6 SIL 2
TI = 10 SIL 2
TV
Page 5 of 46
D1044D
2 Ch.
Independent
Bus Powered
NE or ND
loads
D1044D
1oo2 channel
architecture
Bus Powered
NE or ND
loads
Digital Relay
Output
Digital Relay
Output
Digital Relay
Output
SFF
PFDavg
per year
88.1% 1.40 E-04
86.7% 1.66 E-04
99.6% 8.32 E-06
TI = 7 SIL 2
TI = 6 SIL 2
TI = 10 SIL 3
TI = 10 SIL 2
TI = 10 SIL 2
TI = 10 SIL 3
Fail-Safe
Output
State
D1044S
1 Ch. Loop
Powered,
NE or ND
loads
Safety Function
T Proof Test
(Years)
for defined
SIL value
(20% of total
safety func.)
EXIDA or TV
analysis
Model
Number
T Proof Test
(Years)
for defined
SIL value
(10% of total
safety func.)
Hardware Fault
Tolerance
SU
(FIT)
DD
(FIT)
DU
(FIT)
MTBF
(years
)
TV
relay deenergized
with NO
contact
(for NE
load) or
with NC
contact
(for ND
load)
238
32.0
420
TV
relay deenergized
with NO
contact
(for NE
load) or
with NC
contact
(for ND
load)
247
38.0
241
TV
relay deenergized
with 2 NO
contacts
in series
(for NE
load) or
with 2 NC
contacts
in parallel
(for ND
load)
468
1.9
241
468
1.6
241
135
267
95.0
208
437
94.0
164
D1044D
1oo2 channel
architecture
Loop
Powered
NE or ND
loads
Digital Relay
Output
99.7% 7.01 E-06
TI = 10 SIL 3
TI = 10 SIL 3
TV
relay deenergized
with 2 NO
contacts
in series
(for NE
load) or
with 2 NC
contacts
in parallel
(for ND
load)
D1053S
Analog
Output
Isolating Analog
Signals Converter
& Trip Amplifiers
80.9% 4.16 E-04
TI = 2 SIL 2
TI = 4 SIL 2
Exida
<4 mA
>20 mA
D1053S
(*) 2 Relay
Outputs
in Series
Isolating Analog
Signals Converter
& Trip Amplifiers
82.3% 4.11 E-04
TI = 2 SIL 2
TI = 4 SIL 2
Exida energized
de-
(*) Trip amplifier safety function concerns only the alarm with 2 relay outputs in series (terminal blocks 5-8).
The analog output is not part of the safety function. Alarm A and Alarm B must be programmed with the same values.
Page 6 of 46
T Proof Test
(Years)
for defined
SIL value
(20% of total
safety func.)
PSD1206
PSD1210
Single Unit
NE Loads
Isolated
Switching
Power Supply
80.1% 5.90 E-04
TI = 1 SIL 2
TI = 3 SIL 2
PSD1206
PSD1210
Single Unit
ND Loads
Isolated
Switching
Power Supply
48.3% 1.53 E-03
TI = 5 SIL 1
TI = 10 SIL 1
PSD1206
PSD1210
2 Units
in parallel
NE Loads
Isolated
Switching
Power Supplies
99.4% 3.03 E-05
TI = 3 SIL 3
TI = 10 SIL 2
TI = 6 SIL 3
TI = 10 SIL 2
PSD1206
PSD1210
2 Units
in parallel
ND Loads
Isolated
Switching
Power Supplies
97.2% 8.09 E-05
TI = 9 SIL 2
TI = 10 SIL 2
SFF
Fail-Safe
Output
State
Safety Function
EXIDA or TV
analysis
Model
Number
Hardware Fault
Tolerance
PFDavg
per year
T Proof Test
(Years)
for defined
SIL value
(10% of total
safety func.)
SU
(FIT)
DD
(FIT)
DU
(FIT)
MTBF
(years
)
Exida
<2V;
20V<
<30V
542
135
134
(with
diagn.)
Exida
20V<
<30V
327
350
134
(with
diagn.)
Exida
<2V;
20V<
<30V
1084
6.9
79
(with
diagn.)
Exida
20V<
<30V
654
18.5
112
(with
diagn.)
Page 7 of 46
Definitions
3.1
Failure categories
In order to judge the failure behavior of the considered modules (except for PSD1206 and PSD1210, explained in
detail at sub-section 3.1.1), the following definitions for the failure of the product must be considered:
Fail-Safe State:
Fail-safe state is defined as the output reaching the user defined threshold or as output being (de-)energized.
Fail Safe:
Failure mode that causes the module/(sub)system to go to the defined fail-safe state without a demand from
the process.
Fail Dangerous:
Failure mode that does not respond to a demand from the process (i.e. being unable to go to the defined
fail-safe state).
Fail Dangerous Undetected:

Failure mode that is dangerous and that is not detected by internal diagnostics.
Fail Dangerous Detected:

Failure mode that is dangerous but that is detected by internal diagnostics (these failures may be converted to
the selected fail-safe state).
Fail High: Failure mode that causes the output signal to go to the maximum limit output value.
Fail Low: Failure mode that causes the output signal to go to the minimum limit output value.
Fail No Effect:
Failure mode of a component that is part of the safety function but has no effect on the safety function.
For the calculation of SFF it is treated like a safe undetected failure.
Fail Annunciation Undetected:

Failure mode that does not directly impact safety but does impact the ability to detect a future fault (such as
a fault in a diagnostic circuit) and that is not detected by internal diagnostics.
Fail Not part:

Failure mode of a component which is not part of the safety function but part of the circuit diagram and is listed
for completeness. When calculating the SFF this failure mode is not taken into account. It is also not considered
for the total failure rate evaluation.
Note: The No Effect and the Annunciation Undetected failures are provided for those who wish to do
reliability modeling more detailed than required by IEC 61508. In IEC 61508 the No Effect and Annunciation
Undetected failures are defined as safe undetected failures even though they will not cause the safety
function to go to a safe state. Therefore they need to be considered in the Safe Failure Functional calculation.
Fail-Safe State for: D1053S, (using analog output)

Depending on the application, the fail-safe state is defined as the current output going to a fail low or fail high.
For D1053S, these low and high levels can be programmed from the user,
and in this functional safety analysis they are set to 20 mA for high and 4 mA for low.
Fail-Safe State for: D1020, D1021S

The fail-safe state is defined as the output going to fail low.
Fail-Safe State for: D1032, D1033 ; PSD1001(C), D1040, D1042, D1043, (in loop/bus
powered mode) ; D1053S, (using 2 relay outputs in series)
The fail-safe state is defined as the output being de-energized or relay contacts remaining open. For D1053S
the user can program the trip point value at which relay output must be de-energized.
Fail-Safe State for D1034

The fail-safe state is defined as the output being below 1.2 mA or above 7 mA.
Fail-Safe State for: D1044

The fail-safe state is defined as the output relay being de-energized, so that: the NO-COM contact is open and
the NC-COM contact is closed.
Page 8 of 46
Fail Dangerous for: D1020, D1021S; D1053S (using analog out)

fail-safe state) or deviates the output current by more than:
5 % of full span (> 0.8 mA), for D1020, D1021S;
3 % of full span (> 0.6 mA), for D1053S.
Fail Dangerous for: D1032, D1033 ; PSD1001(C), D1040, D1042, D1043, (in loop/bus powered
mode) ; D1053S,(using 2 relay outputs in series)
fail-safe state), so that the output remains energized or the relay contacts remain closed.
For D1053S, this failure leads to a measurement error of more than 3 % (of full span for D1053S or 5 % respect
to the correct value and therefore the relay
contacts remains closed (they dont respond to a process demand).
Fail Dangerous for D1034
fail-safe state) or the output current remains between 1.2 mA and 7 mA.
Fail Dangerous for D1044
fail-safe state) so that the output relay remains energized, keeping the NO-COM contact closed and
the NC-COM contact open.
Fail High for:D1020, D1021S ; D1053S, (using analog output)
Failure mode that causes the output signal to go above the maximum output current (i.e. > 20 mA, which has
been choosen in the functional safety analysis as programmed value for D1053S).
Fail High for D1034
Failure mode that causes the output signal to go above 7 mA (short circuit).
Fail Low for: D1020, D1021S ; D1053S, (using analog output)
Failure mode that causes the output signal to go below the minimum output current (i.e. < 4 mA, which has
been choosen in the functional safety analysis as programmed value for D1053S.
Fail Low for D1034
Failure mode that causes the output signal to go below 0.35 mA (lead breakage).
Fail No Effect for: D1020, D1021S ; D1053S (using analog out)
Failure of a component that is part of the safety function but that has no effect on the safety function or deviates
the output current by not more than:
5 % of full span (< 0.8 mA) for D1020, D1021S
3 % of full span (< 0.6 mA) for D1053S.
Page 9 of 46
3.1.1
Failure categories for PSD1206 and PSD1210
In order to judge the failure behavior of the PSD1206 and PSD1210, the following definitions for the failure of the
product must be considered:
Fail-Safe State: The fail-safe state is defined as the output reaching the user defined threshold.
In normally energized (NE) loads, is defined as the output being between 20 V and 30 V (load current up to
80% of rated) or lower than 2V.
In normally de-energized (ND) loads, is defined as the output being between 20 V and 30 V (load current up
to 80% of rated).
Fail Safe: Failure that causes the output to go to the defined fail-safe state without a demand from the process.
Fail Dangerous:
With normally energized (NE) loads, failure that leads to an output higher than 30 V or between 2 V and 20 V.
With normally de-energized (ND) loads, failure that leads to an output higher than 30 V or lower than 20 V.
Fail High: Failure mode that leads to an over voltage condition (> 30 V).
Fail Low: Failure mode that leads to an under voltage condition (< 2 V).
Fail No Effect: Failure mode of a component that is part of the safety function but has no effect on the safety
function. For the calculation of SFF it is treated like a safe undetected failure.
Fail Annunciation Undetected: Failure mode that does not directly impact safety but does impact the ability
to detect a future fault (such as a fault in a diagnostic circuit) and that is not detected by internal diagnostics.
For the calculation of SFF it is treated to 1 % as a dangerous failure and to 99 % as a no effect failure as in this
system there are 3 different over voltage protection mechanism.
Fail Not part: Failures of a component which is not part of the safety function but part of the circuit diagram
and is listed for completeness. When calculating the SFF this failure mode is not taken into account.
It is also not considered for the total failure rate evaluation.
Page 10 of 46
3.2
General Terms
DC: Diagnostic coverage (safe or dangerous) of the safety logic solver for the considered module.
DCs: Diagnostic coverage for safe failures = sd / (sd + su).
DCd: Diagnostic coverage for dangerous failures = dd / (dd + du).
FIT: Failure In Time (1x10 E-9 failures per hour).
Failure Rates:
The failure rate data used in the FMEDA analysis are the basic failure rates from the Siemens SN 29500 failure
rate database. The rates where chosen in a way that is appropriate for safety integrity level verification
calculations, and to mach operating stress conditions typical of an industrial field environment similar to
IEC 60654-1, class C. It is expected that the actual number of field failures will be less than the number
predicted by these failure rates.
FMEA:
Failure Modes and Effects Analysis is a systematic way to identify and evaluate the effects of different
component failure modes, to determine what could eliminate or reduce the chance of failure, and to document
the system in consideration.
FMEDA:
Failure Modes Effects and Diagnostic Analysis is an FMEA extension. It combines standard FMEA techniques
with extension to identify online diagnostics techniques and the failure mode relevant to safety instrumented
system design. It is a technique recommended to generate failure rates for each important category
(safe detected, safe undetected, dangerous detected, dangerous undetected, fail high, fail low) in the safety
modules. The format for the FMEDA is an extension of the FMEA format MIL STD 1629A.
Low demand mode:
Mode where the frequency of demands for operation made on Safety-related system is no greater than
one per year and no greater than twice the proof test frequency.
MTBF: Mean Time Between Failure.
MTTF: Mean Time To Failure.
MTTFS: Mean Time To safe Failure.
MTTFD: Mean Time To dangerous Failure.
MTTR: Mean Time To Repair.
PFDavg: Average Probability of Failure on Demand.
SFF:
Safe Failure Fraction, according IEC 61508 summarizes the fraction of failures, which lead to a safe state and
the fraction of failures which will be detected by diagnostic measures and lead to a defined safety action.
SFF
DD SD SU
DU
1
DD DU SD SU
DD DU SD SU
with:
DD: Dangerous Detected failure rate; DU: Dangerous Undetected failure rate
SD: Safe Detected failure rate;
SU: Safe Undetected failure rate
SIF: Safety Instrumented Function.
SIS: Safety Instrumented System.
SIL: Safety Integrity Level.
T Proof Test & Maintenance (TI) :
Proof Test Interval (for example 1 - 5 - 10 years, with 1 year = 8760 hours).
Maintenance time is considered 8 hours.
Page 11 of 46
Assumptions
The following assumptions have been made during the Failure Modes, Effects, and Diagnostic Analysis of the
Repeater/Driver/Interface/Converter/Relay Modules D1020, D1021S, D1032, D1033, D1034, D1040,
D1042, D1043, D1044, D1053S, and PSD1001(C) power supply.
Failure rates are constant, wear out mechanisms are not included. Propagation of failures is not relevant.
Failures during parameterization are not considered.
The HART protocol is only used for setup, calibration, and diagnostic purposes, not for safety critical operation.
The time to restoration or repair time after a safe failure is 8 hours, as MTTR.
All modules are operated in the low demand mode of operation.
External power supply failure rates are not included.
The stress levels are average for an industrial environment and can be compared to the Ground Fixed
classification of MIL-HNBK-217F. Alternatively, the assumed environment is similar to IEC 654-1, Class C
(sheltered location) with temperature limits within the manufacturers rating and an average temperature over
a long period of time of 40 C. Humidity levels are assumed within manufacturers rating.
The listed failure rates are valid for operating stress conditions typical of an industrial field environment similar
to IEC 60654-1 class C with an average temperature over a long period of time of 40C. For a higher average
temperature of 60 C, the failure rates should be multiplied with an experience based factor of 2.5.
A similar multiplier should be used if frequent temperature fluctuation must be assumed.
Only one input and one output are part of the safety function.
For and D1053S, (using analog output) modules, only the current output is used for safety applications.
For D1053S,(using 2 relay outputs in series) modules, the trip amplifier safety function concerns only the alarm
with 2 relay outputs in series (terminal blocks 5-8). Therefore the analog output is not part of this safety function.
In addition, the common cause factor () for the 2 relays in series is considered to be 5 %. Then, the 2 relay
outputs connected in series can be protected by appropriate mean (e.g. a fuse) which initiates at 60% of the
rated current to avoid contact welding.
For D1032 - D1033 modules, only the 2nd actuation mode configuration (NO input ND relay or NO transistor
output (or its equivalent NC input NE relay or NC transistor output)) can be used for safety application. Then,
input line short - open fault detection has been enabled to de-energized output relay - transistor in case of fault.
The application program in the safety logic solver is configured in such a way that fail low (under-range failure)
and fail high (over-range failure) are detected regardless of the effect, safe or dangerous, on the safety function.
The 4-20 mA output signal is fed to a SIL 2 - SIL 3 compliant analog input board of a safety PLC.
Sufficient test are performed prior to shipment to verify the absence of vendor and/or manufacturing defects,
that prevent proper operation of specified functionality to product specifications or cause operation different
from design analyzed.
Safety Integrity Levels as defined in IEC 61508 and IEC 61511:

SIL
PFDavg
RRF
PFDavg
Safety Integrity Level
Average probability
Risk Reduction
Average probability of
of failure on demand
Factor
dangerous failure on demand
per year (low demand)
per hour (high demand)
SIL 4
105 to < 104
from 100000 to 10000
109 to < 108
SIL 3
104 to < 103
from 10000 to 1000
108 to < 107
SIL 2
103 to < 102
From 1000 to 100
107 to < 106
SIL 1
102 to < 101
From 100 to 10
106 to < 105
Page 12 of 46
4.1
Assumption for PSD1206 and PSD1210
The following assumptions have been made during the Failure Modes, Effects, and Diagnostic Analysis of the
Switching Power Supply Types PSD1206 and PSD1210.
Failure rates are constant, wear out mechanisms are not included.
Propagation of failures is not relevant.
Failures during parameterization are not considered.
Sufficient test are performed prior to shipment to verify the absence of vendor and/or manufacturing defects that
prevent proper operation of specified functionality to product specifications or cause operation different from
design analyzed.
The device is operated in the low demand mode of operation.
The time to restoration or repair time after a safe failure is 8 hours, as MTTR.
Only the described versions are used for safety applications.
Practical fault insertion tests can demonstrate the correctness of the failure effects assumed during the
FMEDAs.
The fault output is not part of the safety function.
The common cause factor between the two crowbars is estimated at be 5 %.
The stress levels are average for an industrial environment and the assumed environment is similar to
IEC 60654-1, Class C (Sheltered location) with temperature limits within the manufacturers rating and an
average temperature over a long period of time of 40 C.
Humidity levels are assumed within manufacturers rating.
The listed failure rates are valid for operating stress conditions typical of an industrial field environment similar
to IEC 60654-1 class C with an average temperature over a long period of time of 40 C. For a higher average
temperature of 60 C, the failure rates should be multiplied with an experience based factor of 2.5.
A similar multiplier should be used if frequent temperature fluctuation must be assumed.
Over-voltage protection has a diagnostic coverage of 99 %.
Page 13 of 46
Summary of Data from EXIDA and TV analysis
Note:
in the following PFDavg vs T[Proof] tables with determination of SIL, green color indicates that PFDavg of the unit is
less than or equal to 10% or 20% of the PFDavg required by its SIL level (see table at section 4), while yellow color
indicates that PFDavg of the unit is more than 10% or 20% of the PFDavg required by its SIL level.
5.1
D1010S-054 Isolating -5 +55 mV to 4 20 mA Converter
In the following tables are shown functional safety data, as defined in TV Compliance Certificate C - IS - 183645 - xx.
Table 3: Failure rates
Failure category
Failure rates (FIT)
Total Fail Dangerous Detected = dd
130.93
Fail Dangerous Detected (internal diagnostics or indirectly)
1.90
Fail High (detected by the logic solver)
28.00
Fail Low (detected by the logic solver)
101.03
Total Fail Dangerous Undetected = du
36.15
Total Fail Safe Detected = sd
0.00
Total Fail Safe Undetected = su = Fail No Effect
197.32
Total Failure Rate (Safety Function) = sd + su + dd + du
364.40
Fail Not Part = notpart
6.60
Total Failure Rate (Device) = sd + su + dd + du + notpart
371.00
MTBF = MTTF + MTTR = 1/(sd + su + dd + du + notpart) + MTTR
308 years
MTTFS = 1/(sd + su)
579 years
MTTFD = 1/du
3158 years
Table 4: Failure rates according to IEC 61508

sd
su
dd
du
SFF
DCs
DCd
0.00 FIT
197.32 FIT
130.93 FIT
36.15 FIT
90.08%
0.00%
78.36%
Table 5: PFDavg vs T[Proof], with determination of SIL supposing module contributes 10% of entire safety function
T[Proof] = 1 year
T[Proof] = 5 years
T[Proof] = 10 years
PFDavg = 1.58 E-04
PFDavg = 7.92 E-04
Valid for SIL 2
Valid for SIL 2
See Note 2 Section 6
PFDavg = 1.58 E-03

See Note 3 and Note 4 Section 6
T[Proof] = 1 year
T[Proof] = 10 years
PFDavg = 1.58 E-04
PFDavg = 1.58 E-03
Valid for SIL 3
Valid for SIL 2
Page 14 of 46
5.2
Failure category
Failure rates (FIT)
130.88
1.83
27.88
101.17
36.03
0.00
197.29
364.20
6.60
370.80
308 years
MTTFS = 1/(sd + su)
579 years
MTTFD = 1/du
3168 years

sd
su
dd
du
SFF
DCs
DCd
0.00 FIT
197.29 FIT
130.88 FIT
36.03 FIT
90.11%
0.00%
78.41%
T[Proof] = 1 year
T[Proof] = 5 years
T[Proof] = 10 years
PFDavg = 1.58 E-04
PFDavg = 7.89 E-04
Valid for SIL 2
Valid for SIL 2
PFDavg = 1.58 E-03

T[Proof] = 1 year
T[Proof] = 10 years
PFDavg = 1.58 E-04
PFDavg = 1.58 E-03
Valid for SIL 3
Valid for SIL 2
Page 15 of 46
5.3
Failure category
Failure rates (FIT)
130.90
1.83
27.90
101.17
36.18
0.00
197.32
364.40
6.60
371.00
308 years
MTTFS = 1/(sd + su)
579 years
MTTFD = 1/du
3155 years

sd
su
dd
du
SFF
DCs
DCd
0.00 FIT
197.32 FIT
130.90 FIT
36.18 FIT
90.07%
0.00%
78.35%
T[Proof] = 1 year
T[Proof] = 5 years
T[Proof] = 10 years
PFDavg = 1.58 E-04
PFDavg = 7.92 E-04
Valid for SIL 2
Valid for SIL 2
PFDavg = 1.58 E-03

T[Proof] = 1 year
T[Proof] = 10 years
PFDavg = 1.58 E-04
PFDavg = 1.58 E-03
Valid for SIL 3
Valid for SIL 2
Page 16 of 46
5.4
D1020S and D1020D Powered Isolating Drivers for I/P, Hart Compatible
The 2 channels of D1020D module could be used to increase the hardware fault tolerance, needed for a higher SIL
of a certain Safety Function, as they are completely independent each other, not containing common components.
In fact, the analysis results got for D1020S (single ch.) are also valid for each channel of D1020D (double ch.).
Failure category
Failure rates (FIT)
0.00
70.32
Fail Dangerous Undetected
49.92
Fail High
20.40
0.00
Total Fail Safe Undetected = su
323.00
Fail Low
90.14
Fail No Effect
231.15
Fail Dangerous Detected
1.71
393.32
10.88
404.20

MTTFS = 1/(sd + su)
282 years
353 years
MTTFD = 1/du
1623 years

sd
su
dd
du
SFF
0.00 FIT
323.00 FIT
0.00 FIT
70.32 FIT
82.12%
T[Proof] = 1 year
T[Proof] = 3 years
PFDavg = 3.08 E-04
PFDavg = 9.24 E-04
Valid for SIL 2
Valid for SIL 2
T[Proof] = 10 years
PFDavg = 3.08 E-03
T[Proof] = 1 year
T[Proof] = 6 years
PFDavg = 3.08 E-04
PFDavg = 1.85 E-03
Valid for SIL 2
Valid for SIL 2
T[Proof] = 10 years
PFDavg = 3.08 E-03
Page 17 of 46
5.5
D1021S Powered Isolating Driver for I/P, with Fault Detection and
Hart Compatible
In the following tables are shown functional safety data, as defined in EXIDA Report GM 03/07-24 R001 Version V2,
Revision R1.
Failure category
Failure rates (FIT)
0.00
118.30
85.30
Fail High
33.00
0.00
285.00
Fail Low
109.00
Fail No Effect
176.00
403.30
126.00
529.30
216 years
MTTFS = 1/(sd + su)
400 years
MTTFD = 1/du
965 years

sd
su
dd
du
SFF
0.00 FIT
285.00 FIT
0.00 FIT
118.30 FIT
70.66%
T[Proof] = 1 year
PFDavg = 5.18 E-04
Valid for SIL 2
T[Proof] = 3 years
T[Proof] = 10 years
PFDavg = 1.55 E-03
PFDavg = 5.18 E-03
T[Proof] = 1 year
T[Proof] = 3 years
PFDavg = 5.18 E-04
PFDavg = 1.55 E-03
Valid for SIL 2
Valid for SIL 2
T[Proof] = 10 years
PFDavg = 5.18 E-03
Page 18 of 46
5.6
D1032D Isolating Switch-Proximity Detector Repeater, Relay Output
The 2 channels of D1032D module should not be used to increase the hardware fault tolerance, needed for a higher
SIL of a certain Safety Function, as they are not completely independent each other, containing common components.
This analysis was executed always considering that the safety function is carried out via 1 input and 1 output channel,
but considering also the influence of the other channel on the first one.
Failure category
Failure rates (FIT)
0.00
60.51
0.00
263.79
Fail Safe Undetected
147.17
Fail No Effect
114.97
Fail Annunciation Undetected
0.16
1.49
324.30
167.40
491.70

MTTFS = 1/(sd + su)
232 years
433 years
MTTFD = 1/du
1887 years

sd
su
dd
du
SFF
0.00 FIT
263.79 FIT
0.00 FIT
60.51 FIT
81.34%
T[Proof] = 1 year
T[Proof] = 3 years
PFDavg = 2.65 E-04
PFDavg = 7.95 E-04
Valid for SIL 2
Valid for SIL 2
T[Proof] = 10 years
PFDavg = 2.65 E-03
T[Proof] = 1 year
T[Proof] = 7 years
PFDavg = 2.65 E-04
PFDavg = 1.86 E-03
Valid for SIL 2
Valid for SIL 2
T[Proof] = 10 years
PFDavg = 2.65 E-03
Page 19 of 46
5.7
D1032Q Isolating Switch-Proximity Detector Repeater, Relay Output
The 4 channels of D1032Q module should not be used to increase the hardware fault tolerance, needed for a higher
but considering also the influence of the others channels on the first one.
Failure category
Failure rates (FIT)
0.00
60.43
0.00
279.63
151.55
Fail No Effect
126.55
0.16
1.37
340.06
319.45
659.51

MTTFS = 1/(sd + su)
173 years
408 years
MTTFD = 1/du
1889 years

sd
su
dd
du
SFF
0.00 FIT
279.63 FIT
0.00 FIT
60.43 FIT
82.23%
T[Proof] = 1 year
T[Proof] = 3 years
PFDavg = 2.65 E-04
PFDavg = 7.94 E-04
Valid for SIL 2
Valid for SIL 2
T[Proof] = 10 years
PFDavg = 2.65 E-03
T[Proof] = 1 year
T[Proof] = 7 years
PFDavg = 2.65 E-04
PFDavg = 1.85 E-03
Valid for SIL 2
Valid for SIL 2
T[Proof] = 10 years
PFDavg = 2.65 E-03
Page 20 of 46
5.8
D1033D Isolating Switch-Proximity Detector Repeater, Transistor output
The 2 channels of D1033D module should not be used to increase the hardware fault tolerance, needed for a higher
but considering also the influence of the other channel on the first one.
Failure category
Failure rates (FIT)
0.00
37.21
0.00
224.09
107.29
Fail No Effect
115.15
0.16
1.49
261.30
209.20
470.50

MTTFS = 1/(sd + su)
243 years
509 years
MTTFD = 1/du
3068 years

sd
su
dd
du
SFF
0.00 FIT
224.09 FIT
0.00 FIT
37.21 FIT
85.76%
T[Proof] = 1 year
T[Proof] = 5 years
PFDavg = 1.63 E-04
PFDavg = 8.15 E-04
Valid for SIL 2
Valid for SIL 2
T[Proof] = 10 years
PFDavg = 1.63 E-03
T[Proof] = 1 year
T[Proof] = 10 years
PFDavg = 1.63 E-04
PFDavg = 1.63 E-03
Valid for SIL 2
Valid for SIL 2
Page 21 of 46
5.9
D1033Q Isolating Switch-Proximity Detector Repeater, Transistor output
The 4 channels of D1033Q module should not be used to increase the hardware fault tolerance, needed for a higher
but considering also the influence of the others channels on the first one.
Failure category
Failure rates (FIT)
0.00
37.13
0.00
239.93
111.67
Fail No Effect
126.73
0.16
1.37
277.06
361.25
638.31

MTTFS = 1/(sd + su)
179 years
476 years
MTTFD = 1/du
3074 years

sd
su
dd
du
SFF
0.00 FIT
239.93 FIT
0.00 FIT
37.13 FIT
86.60%
T[Proof] = 1 year
T[Proof] = 5 years
PFDavg = 1.63 E-04
PFDavg = 8.13 E-04
Valid for SIL 2
Valid for SIL 2
T[Proof] = 10 years
PFDavg = 1.63 E-03
T[Proof] = 1 year
T[Proof] = 10 years
PFDavg = 1.63 E-04
PFDavg = 1.63 E-03
Valid for SIL 2
Valid for SIL 2
Page 22 of 46
5.10
D1034S and D1034D Isolating Switch-Proximity Detector Interfaces,

mA output
The 2 channels of D1034D module could be used to increase the hardware fault tolerance, needed for a higher SIL
of a certain Safety Function, as they are completely independent each other, not containing common components.
In fact, the analysis results got for D1034S (single ch.) are also valid for each channel of D1034D (double ch.).
Failure category
Failure rates (FIT)
117.83
0.29
36.83
80.71
19.20
0.00
147.17
284.20
4.00
288.20
396 years
MTTFS = 1/(sd + su)
776 years
MTTFD = 1/du
5946 years

sd
su
dd
du
SFF
DCs
DCd
0.00 FIT
147.17 FIT
117.83 FIT
19.20 FIT
93.24%
0.00%
85.99%
T[Proof] = 1 year
T[Proof] = 10 years
PFDavg = 8.41 E-05
PFDavg = 8.41 E-04
Valid for SIL 3
Valid for SIL 2
T[Proof] = 1 year
T[Proof] = 2 years
T[Proof] = 10 years
PFDavg = 8.41 E-05
PFDavg = 1.68 E-04
PFDavg = 8.41 E-04
Valid for SIL 3
Valid for SIL 3
Valid for SIL 2
Page 23 of 46
5.11
D1040Q, D1042Q, D1043Q, PSD1001(C) Bus Powered Isolating Drivers

for NE loads
Revision R1.
Failure category
Failure rates (FIT)
1.49
83.20
0.00
333.40
196.00
Fail No Effect
135.00
2.40
418.09
42.60
460.69

MTTFS = 1/(sd + su)
248 years
342 years
MTTFD = 1/du
1372 years

sd
su
dd
du
SFF
0.00 FIT
333.40 FIT
1.49 FIT
83.20 FIT
80.12%
T[Proof] = 1 year
T[Proof] = 2 years
PFDavg = 3.64 E-04
PFDavg = 7.28 E-04
Valid for SIL 2
Valid for SIL 2
T[Proof] = 10 years
PFDavg = 3.63 E-03
5.12
T[Proof] = 1 year
T[Proof] = 5 years
PFDavg = 3.64 E-04
PFDavg = 1.82 E-03
Valid for SIL 2
Valid for SIL 2
T[Proof] = 10 years
PFDavg = 3.63 E-03
D1040Q, D1042Q, D1043Q, PSD1001(C) Loop Powered Isolating Drivers

for NE loads
Revision R1.
Because the loop powered modules are directly driven from the digital output of a safety PLC, there is no additional
power supply which can keep the output energized in case of an internal fault. Thus all internal faults have either no
effect on the safety function or lead to a safe state, as reported in the following table.
sd
su
dd
du
SFF
notpart
MTBF
0.00 FIT
418.09 FIT
(No Effect = 137.40 FIT)
0.00 FIT
0.00 FIT
100.00%
42.60 FIT
248 years
Considering that the PFDavg value is always equal to zero because du = 0.00 FIT, the SFF > 99% and the hardware
fault tolerance is 0, then the Digital Output Modules D1040, D1042, D1043, PSD1001, PSD1001C, when configured in
loop powered mode, can be used for SIL 3 safety applications, during them lifetime (up to 10 years).
Page 24 of 46
5.13
D1044S Bus Powered Digital Relay Output for NE or ND loads
In the following tables are shown functional safety data, as defined in TV Compliance Certificate C - IS - 204194 - 01.
Failure category
Failure rates (FIT)
0.00
37.99
0.00
231.81
125.73
Fail No Effect
106.08
269.80
2.00
271.80

MTTFS = 1/(sd + su)
420 years
492 years
MTTFD = 1/du
3005 years

sd
su
dd
du
SFF
0.00 FIT
231.81 FIT
0.00 FIT
37.99 FIT
85.92%
T[Proof] = 1 year
T[Proof] = 6 years
PFDavg = 1.66 E-04
PFDavg = 9.98 E-04
Valid for SIL 2
Valid for SIL 2
T[Proof] = 10 years
PFDavg = 1.66 E-03
T[Proof] = 1 year
T[Proof] = 10 years
PFDavg = 1.66 E-04
PFDavg = 1.66 E-03
Valid for SIL 2
Valid for SIL 2
Page 25 of 46
5.14
D1044S Loop Powered Digital Relay Output for NE or ND loads
Failure category
Failure rates (FIT)
0.00
32.00
0.00
237.80
130.22
Fail No Effect
107.58
269.80
2.00
271.80

MTTFS = 1/(sd + su)
420 years
480 years
MTTFD = 1/du
3567 years

sd
su
dd
du
SFF
0.00 FIT
237.80 FIT
0.00 FIT
32.00 FIT
88.14%
T[Proof] = 1 year
T[Proof] = 7 years
PFDavg = 1.40 E-04
PFDavg = 9.81 E-04
Valid for SIL 2
Valid for SIL 2
T[Proof] = 10 years
PFDavg = 1.40 E-03
T[Proof] = 1 year
T[Proof] = 10 years
PFDavg = 1.40 E-04
PFDavg = 1.40 E-03
Valid for SIL 2
Valid for SIL 2
Page 26 of 46
5.15
D1044D Bus Powered (independent channels) Digital Relay Output

for NE or ND loads
Failure category
Failure rates (FIT)
0.00
37.99
0.00
246.81
131.33
Fail No Effect
115.48
284.80
188.60
473.40

MTTFS = 1/(sd + su)
241 years
462 years
MTTFD = 1/du
3005 years

sd
su
dd
du
SFF
0.00 FIT
246.81 FIT
0.00 FIT
37.99 FIT
86.66%
T[Proof] = 1 year
T[Proof] = 6 years
PFDavg = 1.66 E-04
PFDavg = 9.98 E-04
Valid for SIL 2
Valid for SIL 2
T[Proof] = 10 years
PFDavg = 1.66 E-03
T[Proof] = 1 year
T[Proof] = 10 years
PFDavg = 1.66 E-04
PFDavg = 1.66 E-03
Valid for SIL 2
Valid for SIL 2
Page 27 of 46
5.16
D1044D Bus Powered (1oo2 channel architecture) Digital Relay Output

for NE or ND loads
Failure category
Failure rates (FIT)
0.00
1.90
0.00
467.50
291.56
Fail No Effect
175.94
469.40
4.00
473.40

MTTFS = 1/(sd + su)
241 years
244 years
MTTFD = 1/du
60082 years

sd
su
dd
du
SFF
0.00 FIT
467.50 FIT
0.00 FIT
1.90 FIT
99.59%
Table 62: PFDavg vs T[Proof], with determination of SIL supposing module contributes 10% or more of entire safety
function
T[Proof] = 1 year
T[Proof] = 10 years
PFDavg = 8.32 E-06
PFDavg = 8.32 E-05
Valid for SIL 3
Valid for SIL 3
Page 28 of 46
5.17
D1044D Loop Powered (1oo2 channel architecture) Digital Relay Output

for NE or ND loads
Failure category
Failure rates (FIT)
0.00
1.60
0.00
467.80
288.86
Fail No Effect
178.94
469.40
4.00
473.40

MTTFS = 1/(sd + su)
241 years
244 years
MTTFD = 1/du
71347 years

sd
su
dd
du
SFF
0.00 FIT
467.80 FIT
0.00 FIT
1.60 FIT
99.66%
Table 65: PFDavg vs T[Proof], with determination of SIL supposing module contributes 10% or more of entire safety
function
T[Proof] = 1 year
T[Proof] = 10 years
PFDavg = 7.01 E-06
PFDavg = 7.01 E-05
Valid for SIL 3
Valid for SIL 3
Page 29 of 46
5.18
D1053S Isolating Analog Signals Converter and Trip Amplifiers

(using analog output)
Revision R0.
Failure category
Failure rates (FIT)
267.00
65.00
82.00
120.00
95.00
0.00
135.00
Fail No Effect
134.00
1.00
497.00
51.00
548.00
208 years
MTTFS = 1/(sd + su)
846 years
MTTFD = 1/du
1202 years

sd
su
dd
du
SFF
DCs
DCd
0.00 FIT
135.00 FIT
267.00 FIT
95.00 FIT
80.89%
0.00%
73.76%
T[Proof] = 1 year
T[Proof] = 2 years
PFDavg = 4.16 E-04
PFDavg = 8.32 E-04
Valid for SIL 2
Valid for SIL 2
T[Proof] = 10 years
PFDavg = 4.15 E-03
T[Proof] = 1 year
T[Proof] = 4 years
PFDavg = 4.16 E-04
PFDavg = 1.66 E-03
Valid for SIL 2
Valid for SIL 2
T[Proof] = 10 years
PFDavg = 4.15 E-03
Page 30 of 46
5.19
D1053S Isolating Analog Signals Converter and Trip Amplifiers

(using 2 relay outputs in series)
Revision R0.
Failure category
Failure rates (FIT)
0.00
94.00
0.00
437.00
270.00
Fail No Effect
114.00
28.00

(by internal diagnostics and converted into Fail Safe Undetected)
25.00
531.00
160.00
691.00

MTTFS = 1/(sd + su)
164 years
261 years
MTTFD = 1/du
1214 years

sd
su
dd
du
SFF
0.00 FIT
437.00 FIT
0.00 FIT
94.00 FIT
82.30%
T[Proof] = 1 year
T[Proof] = 2 years
PFDavg = 4.11 E-04
PFDavg = 8.22 E-04
Valid for SIL 2
Valid for SIL 2
T[Proof] = 10 years
PFDavg = 4.10 E-03
T[Proof] = 1 year
T[Proof] = 4 years
PFDavg = 4.11 E-04
PFDavg = 1.64 E-03
Valid for SIL 2
Valid for SIL 2
T[Proof] = 10 years
PFDavg = 4.10 E-03
Page 31 of 46
5.20
PSD1206 and PSD1210 Isolated Switching Power Supplies for NE loads,

single unit
In the following tables are shown functional safety data, as defined in EXIDA Report GMI 06/11-20 R004 Version V1,
Revision R0.
Failure category
Failure rates (FIT)
0.00
134.80
134.00
Fail High (1% of Total Fail High)
0.21
Fail Annunciation Undetected (1% of Total Fail Ann. Undet.)
0.59
0.00
542.20
34.00
Fail No Effect
214.00
20.79
Fail Low
215.00
58.41
677.00
174.00
851.00
134 years
MTTFS = 1/(sd + su)
210 years
MTTFD = 1/du
847 years

sd
su
dd
du
SFF
0.00 FIT
542.20 FIT
0.00 FIT
134.80 FIT
80.09%
T[Proof] = 1 year
PFDavg = 5.90 E-04
Valid for SIL 2
T[Proof] = 3 years
T[Proof] = 6 years
T[Proof] = 10 years
PFDavg = 1.77 E-03
PFDavg = 3.54 E-03
PFDavg = 5.90 E-03
See Note 3 and Note 4

Section 6

Section 6

Section 6
T[Proof] = 1 year
T[Proof] = 3 years
PFDavg = 5.90 E-04
PFDavg = 1.77 E-03
Valid for SIL 2
Valid for SIL 2
T[Proof] = 6 years
T[Proof] = 10 years
PFDavg = 3.54 E-03
PFDavg = 5.90 E-03

Section 6

Section 6
Page 32 of 46
5.21
PSD1206 and PSD1210 Isolated Switching Power Supplies for ND loads,

single unit
In the following tables are shown functional safety data, as defined in EXIDA Report GMI 06/11-20 R004 Version V1,
Revision R0.
Failure category
Failure rates (FIT)
0.00
349.80
134.00
0.21
Fail Low
215.00
0.59
0.00
327.20
34.00
Fail No Effect
214.00
20.79
58.41
677.00
174.00
851.00
134 years
MTTFS = 1/(sd + su)
349 years
MTTFD = 1/du
326 years

sd
su
dd
du
SFF
0.00 FIT
327.20 FIT
0.00 FIT
349.80 FIT
48.33%
T[Proof] = 1 year
T[Proof] = 5 years
PFDavg = 1.53 E-03
PFDavg = 7.66 E-03
Valid for SIL 1
Valid for SIL 1
T[Proof] = 9 years
T[Proof] = 10 years
PFDavg = 1.38 E-02
PFDavg = 1.53 E-02
T[Proof] = 1 year
T[Proof] = 10 years
PFDavg = 1.53 E-03
PFDavg = 1.53 E-02
Valid for SIL 1
Valid for SIL 1
Page 33 of 46
5.22
PSD1206 and PSD1210 Isolated Switching Power Supplies,

2 units in parallel
One way to calculate the PFDavg of a system with 2 power supply units in parallel architecture is by using the fault
tree as presented in Figure 1.
System of two PSD12xx connected in
parallel architecture fails undetected
OR
Both PSD12xx fail because of

common cause ( = 5%)
&
First PSD12xx
fails undetected
Second PSD12xx
fails undetected
Figure 1: Fault tree diagram for 2 power supply units in parallel (two PSD1210 or two PSD1206 models).
The probability of this system to fail is calculated as follows, considering 5 %
two power supply units PSD12xx:
common cause factor, between the
PFDAVG _ System (TI x years ) PFDAVG _ PSD12xx (TI x years ) 1 PFDAVG _ PSD12xx (TI x years )
2
where,
DU
TI
TI
DU 1 DU
2
2
= Dangerous Undetected failure rate of PSD12xx; TI = Proof Test Interval .
5.22.1 NE loads
For 2 power supply units in parallel architecture driving NE loads, its possible to calculate the system probability
to fail for different TI values by using previous PFDAVG _ System (TI x years ) equation and replacing
PFDAVG _ PSD12xx (TI x years ) with values in Table 76 and Table 77 (for 10% and 20% contribution to total SIF)
or replacing
DU
with value in Table 75.
Table 82: PFDAVG _ System (TI x years ) , with determination of SIL supposing module contributes 10% of total SIF
T[Proof] = 1 year
T[Proof] = 3 years
T[Proof] = 6 years
T[Proof] = 10 years
PFDavg = 3.03 E-05
PFDavg = 9.34 E-05
PFDavg = 1.90 E-04
PFDavg = 3.41 E-04
Valid for SIL 3
Valid for SIL 3
Valid for SIL 2
Valid for SIL 2
T[Proof] = 1 year
T[Proof] = 3 years
T[Proof] = 6 years
T[Proof] = 10 years
PFDavg = 3.03 E-05
PFDavg = 9.34 E-05
PFDavg = 1.90 E-04
PFDavg = 3.41 E-04
Valid for SIL 3
Valid for SIL 3
Valid for SIL 3
Valid for SIL 2
Page 34 of 46
5.22.2 ND loads
For 2 power supply units in parallel architecture driving ND loads, its possible to calculate the system probability
to fail for different TI values by using previous PFDAVG _ System (TI x years ) equation and replacing
PFDAVG _ PSD12xx (TI x years ) with values in Table 80 and Table 81 (for 10% and 20% contribution to total SIF)
or replacing
DU
T[Proof] = 1 year
T[Proof] = 5 years
T[Proof] = 9 years
T[Proof] = 10 years
PFDavg = 8.09 E-05
PFDavg = 4.65 E-04
PFDavg = 9.40 E-04
Valid for SIL 2
Valid for SIL 2
Valid for SIL 2
PFDavg = 1.10 E-03

Section 6
5.23
T[Proof] = 1 year
T[Proof] = 10 years
PFDavg = 8.09 E-05
PFDavg = 1.10 E-03
Valid for SIL 2
Valid for SIL 2

3 units in parallel
For 3 power supply units in parallel architecture, its possible to calculate the system probability to fail for different TI
values by using the following equation:
TI 1 DU TI
PFDAVG _ System (TI x years ) DU
2
4
= Dangerous Undetected failure rate of PSD12xx; TI = Proof Test Interval .
3
where,
= 5 %; DU
5.23.1 NE loads
Use previous PFDAVG _ System (TI x years ) equation and replace
DU
T[Proof] = 1 year
T[Proof] = 3 years
T[Proof] = 10 years
PFDavg = 2.99 E-05
PFDavg = 8.96 E-05
PFDavg = 2.99 E-04
Valid for SIL 3
Valid for SIL 3
Valid for SIL 2
5.23.2 ND loads
Use previous PFDAVG _ System (TI x years ) equation and replace
DU
T[Proof] = 1 year
T[Proof] = 10 years
PFDavg = 7.80 E-05
PFDavg = 7.87 E-04
Valid for SIL 2
Valid for SIL 2
Page 35 of 46
5.24

fail with over voltage condition
One way to calculate the probability that the Isolated Switching Power Supply types PSD1206 and PSD1210 fail with
an over voltage condition is by using the fault tree as presented in Figure 2. When using fault trees, the PFD should
be calculated for multiple time steps (e.g. each hour) and then averaged over the time period of interest.
Over voltage condition
&
Power Supply
fails with over
voltage
Over voltage
protection fails
undetected
Crowbars fail
undetected
&
Crowbar 1 fails
undetected
Crowbar 2 fails
undetected
Both crowbars
fail because of
common cause
Figure 2: Fault tree for the probability to fail with an over voltage condition.
The probability of the system to fail with an over voltage condition is calculated as follows for each time step:
PFDAVG_OC_Sys = PFD_OC_PS * PFD_OP * PFD_CB
PFD_CB = PFD_CB1 * PFD_CB2 + * PFD_CB12
PFD_OC_PS (Tproof = 1 year) = 1.84 E-04
PFD_OP (Tproof = 1 year) = 9.64 E-05
PFD_CB1 (Tproof = 1 year) = PFD_CB2 (Tproof = 1 year) = 2.10 E-04
PFD_CB12 (Tproof = 1 year) = 2.11 E-04
* PFD_CB12 (Tproof = 1 year) = 0.05 * 2.11 E-04 = 1.05 E-05
PFD_CB (Tproof = 1 year) = 1.06 E-05
PFDAVG_OC_Sys (Tproof = 1 year) = 9.36 E-14
Page 36 of 46
Notes
Note 1:
Considering a SIL 3 application, the total PFDavg value of the SIF must be < 1.00 E-03 according to table 2 of
IEC 61508-1 and table 3.1 of ANSI/ISA-84.01-1996. However, as the module under consideration contributes
for only 10% of the entire SIF, the PFDavg value of the module must be 1.00 E-04. This limit is satisfied
from the calculated PFDavg value, therefore the module is valid for SIL 3 application.
Note 2:
Note 3:
for only 10% of the entire SIF, the PFDavg value of the module must be 1.00 E-03. This limit is NOT
satisfied from the calculated PFDavg value, therefore the module is NOT valid for SIL 2 application, but its ok
for SIL 1.
Note 4:
Note 5:
satisfied from the calculated PFDavg value, therefore the module is NOT valid for SIL 1 application.
Note 6:
Note 7:
Note 8:
satisfied from the calculated PFDavg value, therefore the module is NOT valid for SIL 2 application, but its ok
for SIL 1.
Note 9:
Note 10:
It is important to realize that the No Effect failures and the Annunciation Undetected failures are included in
the Safe Undetected failure category according to IEC 61508. Note that these failures themselves will not
affect system reliability or safety, and should not be included in spurious trip calculations.
Page 37 of 46
Possible Proof Tests to reveal Dangerous Undetected Failures
According to section 7.4.3.2.2 f) of IEC 61508-2 proof test shall be performed to reveal dangerous failures which are
undetected by diagnostic tests. This means that it is necessary to specify how dangerous undetected failures, which
have been noted during the FMEDA, can be detected during proof testing.
Proof tests should be carried out by qualified service instrumentation technicians.
Any failures or faults should be reported to G.M. International srl (see last page for contact details).
7.1
D1010S-054, D1010S-056, D1010S-057
Table 88: Steps for the Proof test 1

Steps
Action
Bypass the safety PLC or take other appropriate action to avoid a false trip.
Send a mV signal to the mV / mA converter to go to the full scale current output and verify that the analog current reaches that value.
This test for compliance voltage problems such as a low loop power supply voltage or increased wiring resistance.
This also tests for other possible failures.
Send a mV signal to the mV / mA converter to go to the low scale current output and verify that the analog current reaches that value.
Restore the loop to full operation.
Remove the bypass from the safety-related PLC or otherwise restore normal operation.
This test for possible quiescent current related failures.
This test will detect approximately 50 % of possible Dangerous Undetected failures in the mV / mA converter.
Steps
Action
Perform step 2 and 3 of the Proof Test 1 (on Table 88).
3
4
Perform a two-point calibration of the mV / mA converter (i.e.: -5mV and +55 mV for D1010S-054; -5mV and +35 mV for D1010S-056;
-5mV and +10 mV for D1010S-057) and verify that the output current from the module is within the specified accuracy.
Restore the current loop to full operation.
This test will detect approximately 99 % of possible Dangerous Undetected failures in the mV / mA converter.
7.2
D1020, D1021S

Steps
Action
Take appropriate action to avoid a false trip.
Provide a 20mA control signal to the driver to open/close the valve and verify that the valve is open/closed.
This test for compliance voltage problems such as a loop power supply voltage or increased wiring resistance. This also tests for
other possible failures. It requires, however, that the positioner has already been tested without the driver and does not contain any
dangerous undetected faults.
Provide a 4mA control signal to the driver to close/open the valve and verify that the valve is closed/open.
This test for possible quiescent current related failures. It requires, however, that the positioner has already been tested without the
driver and does not contain any dangerous undetected faults.
Restore normal operation.
This test will detect approximately 70 % of possible Dangerous Undetected failures in the repeater.
Steps
Action
Perform step 2 and 3 of Proof Test 1 (on Table 90).
Perform a two-point calibration of the positioner (i.e. 4mA and 20mA) and verify that the output current from the module is within
the specified accuracy. It requires, however, that the positioner has already been tested without the driver and does not contain any
dangerous undetected faults.
Page 38 of 46
7.3
D1032, D1033
Note for contacts input: to detect a broken wire, or a short circuit condition, in the input connections it is necessary to
mount, close to the contacts, 1K resistor in series and 10K resistor in parallel to the contacts.
Table 92: Steps for the Proof test
Steps
Action
Bypass the safety-related PLC or take other appropriate action to avoid a false trip.
Vary the state conditions of the input sensors/contacts coming from field and verify that relay/transistor outputs change from energized
to de-energized and vice versa, and check that the de-energized state condition correspond to the required safety related function.
Disconnect the input wiring coming from the field sensor/contact and check that the proper wire break alarm output is de-energized.
Short the input connections and verify that the same output remains de-energized.
In both case the proper alarm LEDs, on the front panel, will become red.
7.4
D1034
Note for contacts input: to detect a broken wire, or a short circuit condition, in the input connections it is necessary to
mount, close to the contacts, 1K resistor in series and 10K resistor in parallel to the contacts.
Steps
Action
Contacts input: Vary the state conditions of the input sensors/contacts connected in the field and verify that the value of output current
is about 4mA for closed contacts and about 0.66 mA for open contacts.
Proximity input: Vary the state conditions of the proximity switches connected in the field from ON to OFF conditions and verify that the
these conditions are correctly transferred to the PLC.
Disconnect the input wiring coming from the field sensor/contact and check that the output for open connection conditions is equal or
less 0.35mA, and for short circuit conditions equal or above 6.8 mA.
7.5
D1040, D1042, D1043, PSD1001, PSD1001C

Steps
Action
Provide a control signal to the Digital Output Modules D104* and PSD1001 (C) to open/close the driven output and verify that
the driven output is open/closed.
This test will detect approximately 99 % of possible Dangerous Undetected failures in these Digital Output Modules.
Page 39 of 46
7.6
D1044

Steps
Action
Bypass the safety-related PLC or take other appropriate action to avoid a false trip.
For the single channel, verify the input-to-output channel functionality:

For NO contact, the output load is normally energized (NE) when the input channel is on, while the de-activation (safe state) of the
input channel de-energizes the load;
For NC contact, the output load is normally de-energized (ND) when the input channel is on, while the de-activation (safe state) of
the input channel energizes the load.
The channel functionality must be verified in the 20 to 30 Vdc supply voltage range of the module. To enable or disable the input
channel, connect a DC power supply to the input terminals. To check the ohmic continuity of the NO and NC contacts, connect an
ohmmeter in series to NO-COM output contact and another one in series to NC-COM output contact. Execute the following procedure:
Do not enable (DC power supply voltage 1V) the input channel (terminals 5 & 6 or 7 & 8) of the unit under test and verify
that the ohmic continuity is absent at the NO-COM output contact (terminals 13/14 & 15 or 9/10 & 11), while it is present at
the NC-COM output contact (terminals 16 & 15 or 12 & 11), so that the 1st requisite is verified;
Enable (DC power supply voltage 6V) the input channel (terminals 5 & 6 or 7 & 8) of the unit under test and verify that the
ohmic continuity is present at the NO-COM output contact (terminals 13/14 & 15 or 9/10 & 11), while it is absent at the
NC-COM output contact (terminals 16 & 15 or 12 & 11), so that the 2nd requisite is verified.
Remove the bypass from the safety-related PLC or restore normal operation.
This test detects almost 100 % of all possible Dangerous Undetected failures in the digital relay module.
7.7
D1053S (using analog output)

Steps
Action
Send a command to the analog signals converter to go to the full scale current output and verify that the analog current
reaches that value.
Send a command to the analog signals converter to go to the low scale current output and verify that the analog current
reaches that value. This test for possible quiescent current related failures.
3
4
This test will detect approximately 50 % of possible Dangerous Undetected failures in the analog signals converter or
the repeater.
Steps
Action
Perform a two-point calibration of the analog signals converter (i.e. 4mA and 20mA) and verify that the output current
from the module is within the specified accuracy.
the repeater.
Page 40 of 46
7.8
D1053S (using 2 relay outputs in series)

Steps
Action
Send a command to the analog converter or to the repeater to go to the high alarm current output and verify that the relay contacts
(between terminal blocks 5-8) trip.
Send a command to the analog converter or to the repeater to go to the low alarm current output and verify that the relay contacts
(between terminal blocks 5-8) trip.
the repeater and trip amplifiers.
Steps
Action
Perform a two-point calibration of the analog trip amplifier (i.e. 4mA and 20mA) and verify that the relay contacts (between terminal
blocks 5-8) trip.
Steps
Action
Remove the jumper between terminal blocks 6-7.
blocks 5-6) trip.
blocks 7-8) trip.
Restore the jumper between terminal blocks 6-7.
Page 41 of 46
7.9
PSD1206, PSD1210
This procedure specifies the type of test that must be carried on the supply unit at the end of the T-proof period
of operation to verify the correct operation of protection circuits in the supply unit required to restore the SIL
(Safety Integrity Level) required. The estimated efficiency of the test is 60 % for the power supply itself and
99 % for the protective means (over voltage protection and crowbars).
The functions to be tested are:
Output current capability.
Crowbar A operation.
Crowbar B operation.
Over voltage limiting.
Paralleling diode operation.
Current sharing capability.
7.9.1
Test Setup
Equipments items required to perform the test are:
Ampere meter with a range 0 to 10 A with a resolution of 0.1 A or better.
300 W variable power resistor, adjustable between 2 and 25 , with a current capability of 10 A for testing of
model PSD1210 or 150 W variable power resistor, adjustable between 4 and 25 , with a current capability
of 6 A to test model PSD1206.
A 10 K trimmer.
7.9.2
Test of single Power Supply or individual unit of N unit in parallel
Make sure that the power supply unit under test can be disconnected without creating operational malfunctions or
damages to the system. Then connect the test circuit set-up components according to the test set-up schematic.
Table 101: Steps for the Proof test 1 (Output current capability)
Steps
Action
Set the load resistor to 25 for minimum loading.
Connect the mains power connections and apply power to the test circuit, wait 30 minutes for warm-up and stabilization.
Check voltage at output terminals to be within the limits (23.6 Vdc to 24.4 Vdc) and adjust the voltage regulating trimmer if required.
Adjust load current to 10 A for PSD1210 or 6 A for PSD1206.
Check voltage at output terminals to be within the limits (23.6 Vdc to 24.4 Vdc) and load current to be as above.
Table 102: Steps for the Proof test 2 (Crowbar A operation)

Steps
Action
Connect a jumper between test terminals B1 and B2 to disable over voltage protection.
Connect a jumper between test terminals S2 and COM to disable crowbar B.
Turn the trimmer to have the maximum resistance.
Connect the 10 K trimmer between terminals C1 and C2.
Monitor output voltage that should be above 24 V nominal at 80% of full load, slowly turn the trimmer to decrease its resistance and
observe the corresponding output voltage that should increase.
At some point the crowbar A will fire shorting the output voltage to < 2 V. The maximum voltage obtained just before the crowbar firing
point should be between 27.0 V and 29.0 V.
Shutdown the power supply to reset the crowbar.
Turn the trimmer fully to have the maximum resistance.
Disconnect the jumper from test terminals S2 and COM.
Page 42 of 46
Table 103: Steps for the Proof test 3 (Crowbar B operation)

Steps
Action
Switch on the power supply.
Connect a jumper between test terminals S1 and COM to disable crowbar A.
Monitor output voltage that should be above 24 V nominal at 80% of full load, slowly turn the trimmer to decrease its resistance and
observe the corresponding output voltage that should increase.
At some point the crowbar B will fire shorting the output voltage to < 2 V. The maximum voltage obtained just before the crowbar firing
point should be between 27.0 V and 29.0 V.
Shutdown the power supply to reset the crowbar.
Disconnect the trimmer from terminals C1 and C2.
Disconnect the jumper between test terminals B1 and B2 to enable the over voltage protection.
Table 104: Steps for the Proof test 4 (Over-voltage Protection operation)
Steps
Action
Switch on the power supply.
Connect a jumper between test terminals S1 and COM to disable crowbar A.
Connect a jumper between test terminals S2 and COM to disable crowbar B.
Connect a jumper between test terminals A1 and A2 to disable voltage regulation circuit.
Verify output voltage that should be between 25.5 V and 28 V nominal at 80% of full load.
Disconnect the jumper from test terminals A1 and A2.
7.9.3
Tests required when the unit is used as subsystem of N units in parallel
This test is required only if the power supply unit is used in parallel configuration and may be skipped otherwise.
However if the system is updated the test must be performed before start-up.
Table 105: Steps for the Proof test 5 (Paralleling diode operation)
Steps
Action
Shutdown the other Power Supply units.
Connect the mains power connections and apply power to the power supply under test, wait 30 minutes for warm-up and stabilization.
Adjust load current to 10 A for PSD1210 or 6 A for PSD1206.
Connect a voltmeter across the paralleling diode terminals D2(+) and D1(-) and check that voltage drop is within limits (0.3 V to 0.7 V).
Switch on at least one other power supply.
Switch off the supply under test.
Check that the voltage across paralleling diode to be within limits (-22 V to -26 V).
Table 106: Steps for the Proof test 6 (Current sharing capability)
Steps
Action
Connect to the output of each power supply an ampere meter in order to measure the individual output current.
Connect the output in parallel to the required load.
Connect the current sharing terminal blocks (CS).
Connect the mains power to all the units under test.
Check voltage at output terminals to be within the limits (23.6 Vdc to 24.4 Vdc).
Adjust load current to the maximum required by the system.
Check the output current from each unit, which should have a spread not greater than 10%.
To maintain the power supply system safety integrity level, SIL 2 (ND loads) or SIL 3 (NE loads), also during the
T-proof periodic test, in addition two redundant units for each system are required.
If N is the number of power supply units connected in parallel, for the maximum load current required to the power
supply system without redundancy, the total number of modules must be N+2.
In the following, the PSD1210 model is used (10 A at 24 Vdc), but the concept is also applicable to
PSD1206 model (6 A at 24 Vdc).
Page 43 of 46
Table 107: Number of power supply units connected in parallel for different maximum load currents required to the
power supply system.
Maximum load current
required to the power
supply system
Number of power supply units

at least required to satisfy
maximum load current
Number of power supply units,

with redundancy required for
normal operation of system
Number of power supply units,

with redundancy required for
normal operation and during
T-proof periodic test of system
(A)
N+1
N+2
10
20
30
40
50
For NE load:
a) SIL 2 with T-proof = 1 year;
b) SIL 2 with T-proof = 3 years.
For ND load:
c) SIL 1 with T-proof = 5 years;
d) SIL 1 with T-proof = 10 years.
During T-proof of each power supply
unit, the power supply system can not
sustain the maximum load current
because redundancy (N+1) is absent.
For NE load:
a) SIL 3 with T-proof = 3 years or
SIL 2 with T-proof = 10 years;
b) SIL 3 with T-proof = 6 years or
SIL 2 with T-proof = 10 years.
For ND load:
c) SIL 2 with T-proof = 9 years or
SIL 1 with T-proof = 10 years;
For NE load:
a) SIL 3 with T-proof = 3 years;

unit, the power supply system can
sustain the maximum load current but
SIL value changes from SIL 3 to
SIL 2 (for NE load) or from SIL 2 to
SIL 1 (for ND load), because
redundancy (N+2) is absent.

unit, the power supply system can
sustain the maximum load current
and maintain SIL 3 value (for NE
load) or SIL 2 value (for ND load),
because redundancy (N+2) is
present.
b) SIL 3 with T-proof = 6 years.

For ND load:
c) SIL 2 with T-proof = 9 years;
Where: a) or c) supposing that power supply system doesnt contribute more than 10 % of total SIF dangerous failure;
b) or d) supposing that power supply system doesnt contribute more than 20 % of total SIF dangerous failure.
MODEL PSD1206
CS
L/+ N/-
Current
Sharing
Current
Sharing
MODEL PSD1206
SIL 3
CS
L/+ N/-
Connection for current sharing
24 Vdc
Output Bus
Fault
Output 1
Supply
Input 1
Fault
Output 2
Supply
Input 2
Figure 3: Draft about connection of 2 units PSD1206 in parallel mode.
Page 44 of 46
MODEL PSD1210
CS
L/+ N/-
Current
Sharing
Current
Sharing
MODEL PSD1210
SIL 3
CS
L/+ N/-
Connection for current sharing
24 Vdc
Output Bus
Fault
Output 1
Supply
Input 1
Fault
Output 2
Supply
Input 2
Figure 4: Draft about connection of 2 units PSD1210 in parallel mode.
Page 45 of 46
Impact of Lifetime of Critical Components on Failure Rate
Although a constant failure rate is assumed by the probabilistic estimation method (see section 3 and 4) this only
applies provided that the useful lifetime of components is not exceeded. Beyond this useful lifetime, the result of the
probabilistic calculation method is meaningless as the probability of failure significantly increases with time.
The useful lifetime is highly dependent on the component itself and its operating conditions temperature in particular
(for example, electrolyte capacitors can be very sensitive to temperature).
This assumption of a constant failure rate is based on the bathtub curve, which shows the typical behavior for
electronic components.
Therefore it is obvious that PFDavg calculation is only valid for components that have this constant domain and that
the validity of the calculation is limited to the useful lifetime of each component.
It is assumed that early failures are detected to a huge percentage during the installation period and therefore the
assumption of a constant failure rate during the useful lifetime is valid.
However, according to section 7.4.7.4 of IEC 61508-2, a useful lifetime, based on experience, should be assumed.
According to section 7.4.7.4 note 3 of the IEC 61508-2 experience has shown that the useful lifetime often lies within
a range of about 10-15 years.
Influence of PFDavg calculation on efficiency of Proof Test

for a 1oo1 architecture.
The equation of PFDavg, applicable when the component or sub-system is new and when du are 99 % known by
proof test is:
PFDavg du
TI
2
When these tests do not detect at least 99 % of du the same equation changes to:
PFDavg ( Et du
TI
SL
) (1 Et ) du
2
2
where:
Et is the effectiveness of proof test (0-100 %)
SL can be intended as one of the following:
1) Time between two proof tests with 99-100 % effectiveness;
2) Time between two replacements;
3) Component Lifetime if no substitution and no proof test is meant to be done.
For TI = 1 year the equation becomes:
PFDavg Et
du
SL
1 Et du
2
2
Example 1:
du = 0.01 / yr ; TI = 1 yr ; SL = 12 yrs ; Et = 90 % = 0.9 ; PFDavg = 0.0002 / yr
At installation: PFDavg = 0.01 / 2 = 0.005 / yr ; RRF = 1 / PFDavg = 1 / 0.005 = 200 (Suitable for SIL 2)
After 1 yr:
PFDavg = (0.9 x 0.01/2) + (0.1 x 0.01 x 6) = 0.0105 ; RRF = 95 (Suitable for SIL 1)
Example 2:
du = 0.01 / yr ; TI = 1 yr ; SL = 12 yrs ; Et = 99 % = 0.99 ; PFDavg = 0.0002 / yr
At installation: PFDavg = 0.01 / 2 = 0.005 / yr ; RRF = 1 / PFDavg = 1 / 0.005 = 200 (Suitable for SIL 2)
After 1 yr:
PFDavg = (0.99 x 0.01/2) + (0.01 x 0.01 x 6) = 0.0056 ; RRF = 178 (Suitable for SIL 2)
Document subject to change without notice, please refer to web site for latest update
G.M. International s.r.l. Via San Fiorano 70, 20852 Villasanta (MB) Italy
Phone +39 039 2325 038 Fax +39 039 2325 107 e-mail: info@gmintsrl.com Web: www.gmintsrl.com
Page 46 of 46

Functional Safety Manual For Safety Related Systems and SIL 2, SIL 3 Applications According IEC 61508 & IEC 61511 Standards

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Functional Safety Manual For Safety Related Systems and SIL 2, SIL 3 Applications According IEC 61508 & IEC 61511 Standards

Încărcat de

Drepturi de autor:

Formate disponibile

D1000 Series Manual for Safety Related System SIL applications